mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 00:24:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/ebpf_prog
History
Gustavo Iñiguez Goia 9e630d009d
ebpf: fixed loading modules on arm32 arch 
Make use of kernel macros to decide for what architectures we compile
the modules.

On armv7l the connections module was failing due to iptunnel_xmit, so
exclude it from being compiled.

One can export ARCH=arm, ARCH=i386 or ARCH=arm64 to compile the modules
for these architectures, instead of hacing to edit the source files.
2022-12-13 23:59:54 +01:00
..
arm-clang-asm-fix.patch ebpf: added patch to compile ebpf module for arm 2021-04-21 20:49:31 +02:00
common.h ebpf: increased ring buffer size, hook execveat 2022-10-13 01:44:23 +02:00
file.patch Use ebpf program to find PID of new connections. (#397) 2021-04-05 11:28:16 +02:00
Makefile ebpf: improved process detection/new events module 2022-06-24 01:09:45 +02:00
opensnitch-dns.c ebpf dns module: fixed compilation warning 2022-10-05 14:33:05 +02:00
opensnitch-procs.c ebpf: fixed loading modules on arm32 arch 2022-12-13 23:59:54 +01:00
opensnitch.c ebpf: fixed loading modules on arm32 arch 2022-12-13 23:59:54 +01:00
README ebpf instructions updated 2022-11-18 21:50:42 +01:00

README 

Compilation requires getting kernel sources.

There's a helper script to automate this process:
 https://github.com/evilsocket/opensnitch/blob/master/utils/packaging/build_modules.sh

The basic steps to compile the modules are:

  sudo apt install clang llvm libelf-dev libzip-dev flex bison libssl-dev bc rsync python3
  cd opensnitch
  wget https://github.com/torvalds/linux/archive/v5.8.tar.gz
  tar -xf v5.8.tar.gz
  patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch
  cp ebpf_prog/opensnitch*.c ebpf_prog/common.h ebpf_prog/Makefile linux-5.8/samples/bpf
  cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
  cd samples/bpf && make
  objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect
  llvm-strip -g opensnitch.o #remove debug info
  sudo cp opensnitch*.o /etc/opensnitchd/
  cd ../../../daemon

opensnitchd expects to find opensnitch.o in:
 /usr/local/lib/opensnitchd/ebpf/
 /usr/lib/opensnitchd/ebpf/
 /etc/opensnitchd/ # deprecated

start opensnitchd with:

  opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf

The kernel where you intend to run it must have some options activated:

 $ grep BPF /boot/config-$(uname -r)
  CONFIG_CGROUP_BPF=y
  CONFIG_BPF=y
  CONFIG_BPF_SYSCALL=y
  CONFIG_BPF_EVENTS=y
  CONFIG_KPROBES=y
  CONFIG_KPROBE_EVENTS=y

For the opensnitch-procs.o module to work, this option must be enabled:

 $ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
  CONFIG_FTRACE_SYSCALLS=y

Also, in some distributions debugfs is not mounted automatically, so you need
to do it manually:

 $ sudo mount -t debugfs none /sys/kernel/debug

In order to make it permanent add it to /etc/fstab:

debugfs    /sys/kernel/debug      debugfs  defaults  0 0